diff --git a/hosts/idols-aquamarine/tailscale.nix b/hosts/idols-aquamarine/tailscale.nix new file mode 100644 index 00000000..e6ec6666 --- /dev/null +++ b/hosts/idols-aquamarine/tailscale.nix @@ -0,0 +1,11 @@ +{ + # enable tailscale on aquamarine + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; + extraSetFlags = [ + # access home network via tailscale + "--advertise-routes=192.168.5.0/24" + ]; + }; +} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix deleted file mode 100644 index 7321fc7f..00000000 --- a/modules/nixos/base/networking.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - # for security reasons, only open the following ports to the network by default. - networking.firewall.allowedTCPPorts = [ - # localsend - 53317 - - # tcp ports for testing & sharing - 63080 - 63081 - 63082 - 63083 - 63084 - 63085 - 63086 - 63087 - 63088 - 63089 - ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - # Network discovery, mDNS - # With this enabled, you can access your machine at .local - # it's more convenient than using the IP address. - # https://avahi.org/ - services.avahi = { - enable = true; - nssmdns4 = true; - publish = { - enable = true; - domain = true; - userServices = true; - }; - }; - - # Use an NTP server located in the mainland of China to synchronize the system time - networking.timeServers = [ - "ntp.aliyun.com" # Aliyun NTP Server - "ntp.tencent.com" # Tencent NTP Server - ]; - - # dynamically update /etc/hosts for testing - # Note that changes made in this way will be discarded when switching configurations. - environment.etc.hosts.mode = "0644"; -} diff --git a/modules/nixos/base/networking/avahi.nix b/modules/nixos/base/networking/avahi.nix new file mode 100644 index 00000000..802874f2 --- /dev/null +++ b/modules/nixos/base/networking/avahi.nix @@ -0,0 +1,15 @@ +{ + # Network discovery on a local network, mDNS + # With this enabled, you can access your machine at .local + # it's more convenient than using the IP address. + # https://avahi.org/ + services.avahi = { + enable = true; + nssmdns4 = true; + publish = { + enable = true; + domain = true; + userServices = true; + }; + }; +} diff --git a/modules/nixos/base/networking/default.nix b/modules/nixos/base/networking/default.nix new file mode 100644 index 00000000..049dda93 --- /dev/null +++ b/modules/nixos/base/networking/default.nix @@ -0,0 +1,4 @@ +{ mylib, ... }: +{ + imports = mylib.scanPaths ./.; +} diff --git a/modules/nixos/base/networking/firewall.nix b/modules/nixos/base/networking/firewall.nix new file mode 100644 index 00000000..0673fb60 --- /dev/null +++ b/modules/nixos/base/networking/firewall.nix @@ -0,0 +1,20 @@ +{ + # for security reasons, only open the following ports to the network by default. + networking.firewall.allowedTCPPorts = [ + # localsend + 53317 + + # tcp ports for testing & sharing + 63080 + 63081 + 63082 + 63083 + 63084 + 63085 + 63086 + 63087 + 63088 + 63089 + ]; + # networking.firewall.allowedUDPPorts = [ ... ]; +} diff --git a/modules/nixos/base/networking/misc.nix b/modules/nixos/base/networking/misc.nix new file mode 100644 index 00000000..b60f40a5 --- /dev/null +++ b/modules/nixos/base/networking/misc.nix @@ -0,0 +1,11 @@ +{ + # Use an NTP server located in the mainland of China to synchronize the system time + networking.timeServers = [ + "ntp.aliyun.com" # Aliyun NTP Server + "ntp.tencent.com" # Tencent NTP Server + ]; + + # dynamically update /etc/hosts for testing + # Note that changes made in this way will be discarded when switching configurations. + environment.etc.hosts.mode = "0644"; +} diff --git a/modules/nixos/base/networking/tailscale.nix b/modules/nixos/base/networking/tailscale.nix new file mode 100644 index 00000000..bdec87ea --- /dev/null +++ b/modules/nixos/base/networking/tailscale.nix @@ -0,0 +1,43 @@ +{ + lib, + pkgs, + ... +}: +# ============================================================= +# +# Tailscale - your own private network(VPN) that uses WireGuard +# +# It's open source and free for personal use, +# and it's really easy to setup and use. +# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS. +# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker. +# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale. +# +# How to use: +# 1. Create a Tailscale account at https://login.tailscale.com +# 2. Login via `tailscale login` +# 3. join into your Tailscale network via `tailscale up --accept-routes` +# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below. +# +# Status Data: +# `journalctl -u tailscaled` shows tailscaled's logs +# logs indicate that tailscale store its data in /var/lib/tailscale +# which is already persistent across reboots(via preservation) +# +# References: +# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/tailscale.nix +# +# ============================================================= +{ + # make the tailscale command usable to users + environment.systemPackages = [ pkgs.tailscale ]; + + # enable the tailscale service + services.tailscale = { + enable = lib.mkDefault false; + port = 41641; + interfaceName = "tailscale0"; + # allow the Tailscale UDP port through the firewall + openFirewall = true; + }; +} diff --git a/modules/nixos/desktop/networking/default.nix b/modules/nixos/desktop/networking/default.nix index 049dda93..cf0692c9 100644 --- a/modules/nixos/desktop/networking/default.nix +++ b/modules/nixos/desktop/networking/default.nix @@ -1,4 +1,7 @@ { mylib, ... }: { imports = mylib.scanPaths ./.; + + # enable tailscae for all desktop hosts + services.tailscale.enable = true; } diff --git a/modules/nixos/desktop/networking/tailscale.nix b/modules/nixos/desktop/networking/tailscale.nix index a278bf09..5315eda3 100644 --- a/modules/nixos/desktop/networking/tailscale.nix +++ b/modules/nixos/desktop/networking/tailscale.nix @@ -1,46 +1,10 @@ { - config, - pkgs, - ... -}: -# ============================================================= -# -# Tailscale - your own private network(VPN) that uses WireGuard -# -# It's open source and free for personal use, -# and it's really easy to setup and use. -# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS. -# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker. -# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale. -# -# How to use: -# 1. Create a Tailscale account at https://login.tailscale.com -# 2. Login via `tailscale login` -# 3. join into your Tailscale network via `tailscale up --accept-routes` -# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below. -# -# Status Data: -# `journalctl -u tailscaled` shows tailscaled's logs -# logs indicate that tailscale store its data in /var/lib/tailscale -# which is already persistent across reboots(via preservation) -# -# References: -# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/tailscale.nix -# -# ============================================================= -{ - # make the tailscale command usable to users - environment.systemPackages = [ pkgs.tailscale ]; - - # enable the tailscale service + # enable tailscale on aquamarine services.tailscale = { enable = true; - port = 41641; - interfaceName = "tailscale0"; - # allow the Tailscale UDP port through the firewall - openFirewall = true; useRoutingFeatures = "client"; - extraUpFlags = "--accept-routes"; - # authKeyFile = "/var/lib/tailscale/authkey"; + extraSetFlags = [ + "--accept-routes" + ]; }; }